DNS over HTTPS on OpenWRT 18.06

DNS over HTTPS on OpenWRT 18.06

Earlier I wrote about using stubby to achieve DNS over HTTPS on Lede 17.01. The Lede and OpenWRT folks have merged their fork and now we have OpenWRT 18.06 as the logical successor. Great! So I upgraded. And of course... it broke. Stubby is no longer present.

No problem. I got this.

opkg install luci-app-unbound unbound unbound-control

# cat /etc/unbound/unbound_ext.conf 
##############################################################################
# UNBOUND UCI USER ADDED CLAUSES
#
# Put your own forward:, view:, stub:, and control: clauses here. This file is
# appended to the end of UCI auto generated 'unbound.conf'. This is done with
# include: statement. Notice, it is outside of the server: clause.
##############################################################################
forward-zone:
  name: "."
  forward-addr: 1.1.1.1@853                   
  forward-addr: 1.0.0.1@853                             
  forward-addr: 2606:4700:4700::1111@853
  forward-addr: 2606:4700:4700::1001@853
  forward-ssl-upstream: yes   

Now, lets tell unbound to listen on port 5453: Add option listen_port '5453' to /etc/config/unbound. Now tell dnsmasq to not use resolv.conf. In /etc/config/dhcp, add option noresolv '1'. You would think you can add option server '127.0.0.1#5453' here and be done. But, that didn't work. So I added this line to /etc/dnsmasq.conf:

server=127.0.0.1#5453

And now we are done. Lets check:

# tcpdump -n -i eth0 port 53 or port 5453 or host 1.1.1.1 or host 1.0.0.1

(now switch to a machine other than the router, do some DNS-needing queries, observe its all on TCP to one of these hosts)

I removed the pins that I had there from stubby, they are not required since I have the proper CA installed in the router.

Quickly send the browser to https://test-ipv6.com/ . Great, 10/10, so we have not broken AAAA either.

Leave a Reply

Your email address will not be published. Required fields are marked *

*